CRYPTOGRAPHIC-BASED INITIALIZATION OF MEMORY CONTENT

Description

Background

[0001] For purposes of analyzing relatively large data sets (often called "big data"), computer systems have ever-increasingly large main memories. One type of memory is a volatile memory, such as a Dynamic Random Access Memory (DRAM). A volatile memory loses its content in the event of a power loss. Moreover, the memory cells of certain volatile memories, such as the DRAM, are frequently refreshed to avoid data loss. Another type of memory is a non-volatile memory (NVM), which retains its data in the event of a power loss. The memory cells of an NVM retain their stored data without being refreshed.

[0002] A memory may be located in an insecure area of an electronic system. As such, data stored in the memory may be encrypted to prevent unauthorized access to the underlying information.
Document US 2014/247944 A1 discloses an encryption and decryption method of a sensitive plaintext to be protected. During the encryption method an encryption key is generated using a nonce.
Document WO2005036406 relates to the decryption and encryption in write accesses to a memory, as used for example for securing data in smart cards or smart cards; this document discloses a solution to provide a memory access / decryption scheme so that the implementation is more effective.
Document US 2015074426 discloses the generation of an initialization vector for encrypting the data is then generated. The initialization vector is based on a record identifier and a value that changes every time that the record identifier to be written to.
Document US5915025A discloses an encryption method in which, upon receiving target data to be encrypted, an encryption key generation unit generates an encryption key in accordance with an attribute of the target data.

[0003] The invention is defined in the independent claims 1 and 5.

Brief Description of the Drawings

[0004] 

Fig 1 is a schematic diagram of a computer system according to an example implementation.

Fig. 2A is an illustration of operations performed by a memory controller of the computer system to store content in an encrypted memory of the system according to an example implementation.

Fig. 2B is an illustration of operations performed by the memory controller to read content from the encrypted memory according to an example implementation.

Fig. 3 is an illustration of operations performed by the memory controller to shred content stored in the memory according to an example implementation.

Fig. 4 is a flow diagram depicting a cryptographic-based technique to initialize memory content according to an example implementation.

Figs. 5A is an illustration of operations to read content from an encrypted memory according to an example implementation.

Fig. 5B is an illustration of operations to initialize a region of memory according to an example implementation.

Fig. 6 is a flow diagram of a cryptographic-based technique to shred memory content according to an example implementation.

Fig. 7 is an illustration of an initialization vector (IV) according to an example implementation.

Detailed Description

[0005] A computer system may employ measures to protect data associated with applications executing on the system from being exposed to internal or external adversaries. One approach to protect data from one application from being visible to another application includes clearing, or "zeroing," units of memory (pages of memory, for example) before the units are allocated to a new application. In this manner, the computer system may zero a given memory unit by writing zeros to all of the addressable locations of the unit. Due to the zeroing, the newly-allocated units of memory do not contain data traces left behind by other applications to which the units were previously allocated.

[0006] Non-Volatile Memories (NVMs) are ever-increasingly being used as replacements for volatile memories. As examples, NVMs include flash memories, memristors, phase change memories, ferroelectric random access memories (F-RAMs) and magnetoresistive random access memories (MRAMs), to name a few. In general, an NVM may have advantages over a volatile memory. For example, the NVM may be more scalable, as compared to a volatile memory, thereby providing a higher storage density. Other advantages may be that NVM cells are not refreshed (thereby not consuming refresh power); the NVM does not lose its content upon power loss; and the NVM allows for the potential of persistent data.

[0007] A potential challenge, however, with using zeroing to protect application data in an NVM-based computer system is that the NVM may have a relatively large write latency (i.e., an NVM device may take a relatively longer time to store data, as compared to a volatile memory device). Therefore, for example, zeroing an NVM page may consume more time than zeroing a page of volatile memory. Another potential challenge in zeroing NVM is that an NVM cell may be written a finite number of times before the cell is no longer usable. Therefore, the above-described zeroing approach may potentially impact the lifetime of the NVM.

[0008] In accordance with example implementations, instead of writing zeros to a given memory region to initialize the region, a memory controller is constructed to change a nonce that is used along with a key as part of a decryption process to decrypt content from the region. Therefore, in effect, the memory controller "shreds" the content contained in the initialized memory region, without actually writing to the region.

[0009] More specifically, in accordance with example implementations, a computer system includes a memory controller that is constructed to store content in an encrypted memory as well as retrieve content from the memory. In this manner, the memory controller encrypts plaintext data to be stored in the memory and decrypts encrypted data retrieved from the memory to generate corresponding plaintext data.

[0010] In accordance with example implementations, the memory controller changes a nonce value that is used to encrypt data stored in a given memory region (a region having cache line-aligned boundaries, for example) for purposes of initializing the region. More specifically, the memory controller encrypts plaintext data that is stored in given region of the memory based on a stored nonce value and a key (a key associated with the memory controller, for example). In this regard, the memory controller uses the key and the nonce value to 1.) encrypt plaintext data for purposes of storing content in the memory region; and 2.) decrypt encrypted data retrieved from the memory region for purposes of reading content from the region. The memory controller changes the nonce value each time data is written to the memory region. In accordance with example implementations, the memory controller changes the nonce value for another purpose: in response to a request to initialize a given memory region (a request to shred the region or zero fill the region, as examples), the memory controller changes the nonce value to effectively initialize the region by preventing the content of the region from being recovered.

[0011] As a more specific example, Fig. 1 depicts a computer system 100 in accordance with example implementations. The computer system 100 contains actual hardware and actual machine executable instructions, or "software." In this manner, the computer system 100 may contain such hardware as one or multiple trusted processors 124; a memory controller 130, and a memory 164. The machine executable instructions may include, as examples, instructions that when executed by one or multiple processors (such as trusted processor 124) form an operating system; one or multiple device drivers; one or multiple applications, and so forth. In accordance with example implementations, the memory 164 may be an NVM, although the memory 164 may be a volatile memory, in accordance with further example implementations.

[0012] The computer system 100 contains includes a trusted, secure area 120, which contains trusted components, such as the trusted processor 124 and the memory controller 130. Because these components are trusted, communications between the trusted processor 124 and the memory controller 130 are not encrypted. In general, the trusted processor 124 generates memory requests 126 for the memory 164, and these requests are handled by the memory controller 130.

[0013] For example, the memory request 126 may be a read request to read data from a particular region (a cache line boundary-aligned region, for example) of the memory 164, and the read request identifies the address of the region. As another example, the memory request 126 may be a write request to write plaintext data to a particular region of the memory 164, and the write request contains the plaintext data and identifies the address of the region. As another example, the memory request 126 may be an initialization request, such as a shred request, to initialize a particular region of the memory so that the initialized region may be allocated to an application.

[0014] In this manner, the initialization request may be a request (a zero fill request, for example) for the memory controller 130 to store a predetermined data pattern (all zeroes, for example) in the region of memory. The initialization request may be a request for the memory controller 130 to shred the content of the region of memory, i.e., a request to alter the content that is currently stored in the region at the time of the request so that the content may not be recovered.

[0015] The initialization request may be communicated to the memory controller 130 a number of different ways, depending on the particular implementation. For example, in accordance with some implementations, the initialization request may be communicated to the memory controller 130 by the trusted processor 124 executing machine executable instructions that cause a user level process to pass a virtual address to a kernel of an operating system using a system call; and in response to the system call, the operating system kernel may write the physical address of the page to be initialized to a memory-mapped input/output (I/O) register 131 of the memory controller 130. It is noted that such a mechanism may be used, in lieu of having applications directly write to the register 131, as such application access may introduce a security vulnerability.

[0016] As depicted in Fig. 1, the memory controller 130 may also furnish responses 128 to the trusted processor 124. As examples, the responses 128 may include a response to a read request to the memory 164, which includes the read, plaintext data. The responses 128 may also include acknowledgments by the memory controller 130 that write and shred requests have been processed by the controller 130.

[0017] In general, the memory controller 130 controls the flow of data into and out of the memory 164 in response to requests that are provided by requestors of the computer system 100, such as the trusted processor 124. Other requestors may include other trusted processors, a direct memory access (DMA) controller, a graphics controller, and so forth.

[0018] The memory controller 130 communicates encrypted data 155 with the memory 164, as the memory 164, along with the memory bus 162 used to communicate the data 155, may be located in what is considered an untrusted, or insecure, area 160 of the computer system 100. In accordance with example implementations, to process a request 126 that involves writing data in or reading data from the memory 164, the memory controller 130 generates the appropriate bus signals on the memory bus 162. For example, to write data to the memory 164, the memory controller 130 provides control signals that identify the bus operation as being a write operation, address signals that represent an address of the memory 120 in which the encrypted data 155 is to be stored and data signals that represent the encrypted data 155. The memory 164 responds by storing the data in the memory cells associated with the address.

[0019] To read data from the memory 164, the memory controller 130 provides signals to the memory bus 162, such as control signals that identify the bus operation as being a read operation and address signals that represent a physical address of the memory 164 from which the encrypted data 155 is to retrieved. The memory 130 responds by providing data signals to the memory bus 162, which represent the encrypted data 155 stored in the memory cells associated with the address.

[0020] In accordance with example implementations, the memory controller 130 may be an integrated circuit (IC). Moreover, in accordance with example implementations, the memory controller 130 may be part of an IC contains a bridge (a north bridge, for example) that is separate from the trusted processor 124. In accordance with further example implementations, the memory controller 130 may be part of a semiconductor package that contains the trusted processor 124. In accordance with some implementations, the trusted processor 124 and the memory controller 130 may be part of a trusted platform module (TPM).

[0021] For purposes of encrypting data that is communicated to the memory 164 as well as decrypting data received from the memory 164, the memory controller 130 includes a cryptography engine 136. In accordance with example implementations, for purposes of encrypting and decrypting data, the cryptography engine 136 uses a block cipher that has a counter mode of operation (an Advanced Encryption Standard (AES)- based cipher, for example). As depicted in Fig. 1, in accordance with example implementations, the controller 130 further includes a shredder engine 150, which responds to initialization (shred requests, for example) for purposes of initializing (shredding ,for example) regions of the memory 164, as described further herein.

[0022] Among its other features, the memory controller 130 may include a local memory 140, which stores nonce values 144, which are used for purposes of encrypting and decrypting data for purposes of storing and retrieving content to and from the memory 164, as further described herein. In accordance with some implementations, the memory 140 may be a volatile memory, such as a static random access memory (SRAM). Moreover, in accordance with example implementations, the memory controller 130 may backup the content of the memory 140 to an NVM (not shown) of the secure area 120 for purposes of allowing recovery of content from the memory 164 (using the nonce values stored in the NVM) in the event of a power failure.

[0023] Fig. 2A is an illustration 200 of operations performed by the memory controller 130 to store content in the memory 164, in accordance with example implementations. Referring to Fig. 2A in conjunction with Fig. 1, in accordance with example implementations, the cryptography engine 136 uses an AES-based block cipher in a counter mode, which, in turn, uses counters, which have associated counter values, called "initialization vectors (IVs) 206" herein. To store content in the memory 164 in connection with a write request that is directed to a cache line boundary-aligned region (herein called a "cache line region") of the memory 164, the cryptography engine 136 encrypts plaintext data 201 that is provided as part of the request based on a key 204, a cache line address 202 and an IV 206.

[0024] The key 204, in accordance with example implementations, is a key that is associated with the memory controller 130 and is used by the memory controller 130 for purposes of encrypting and decrypting all of its data. In accordance with further example implementations, the key may be a key that is associated with a particular region of the memory 140, and as such, the memory controller 130 may select the key based on a particular memory region being accessed. The IV 206 depends on a counter value that is provided by a cache line counter 210, which is associated with the cache line region associated with the write operation. In this manner, in accordance with example implementations, the memory 140 stores multiple counters 210, where each counter 210 is associated with a corresponding cache line region of the memory 164.

[0025] In accordance with example implementations, every time the memory controller 130 writes data to a given cache line region, the cryptography engine 136 increments the corresponding cache line counter 210 to increment the corresponding IV 206. The incrementing of the counter 210 is depicted in Fig. 2A by a counter increment output 207-A of the cryptography engine 201. In this manner, in accordance with example implementations, the cryptography engine 136 has counter increment outputs 207 that increment associated counters 201 when the memory controller encrypts data for storage in the associated cache line regions of the memory 164. In accordance with example implementations, the cryptography engine 136 encrypts the plaintext data 201 based on the key 204, cache address 202 and the IV 206 to generate encrypted data 214 that is written by the memory controller 130 to the memory 164.

[0026] Fig. 2B depicts operations 240 performed by the memory controller 130 to retrieve the content from the cache line region in response to a read request that targets the region. Referring to Fig. 2B in conjunction with Fig. 1, the IV 206, i.e., the value of the counter 210, does not change if new data is not written to the cache line region. Therefore, to retrieve the data corresponding to the cache line region from the memory 164, the cryptography engine 136 applies the same IV 206 used to encrypt the data (before storing the encrypted data in the region) to decrypt data 244 retrieved from the memory 164 for purposes of producing corresponding plaintext data 250.

[0027] Fig. 3 generally depicts operations 300 that are performed by the memory controller 130 in response to receiving a shred command 301 to shred a given page of the memory 164. The page is associated with multiple cache line regions. Referring to Fig. 3 in conjunction with Fig. 1, in lieu of writing zeroes or other content to the given page of memory 164, the shredder engine 150 changes cache line counters 310 (and changes the corresponding IVs 206, for example) that correspond to the cache line regions of the shredded page. In this manner, Fig. 3 depicts the shredder engine 150 provide counter increment outputs 311 that increment the counters 311 that are associated with the page being shredded; and Fig. 3 also depicts other cache line counters 312 that are not associated with the page being shredded. By changing the counter values, the content of the shredded page is effectively rendered as "garbage," as the memory controller 130 no longer stores the IVs 206 for decrypting the content of the page.

[0028] Thus, referring to Fig. 4, in accordance with example implementations, a technique 400 includes receiving (block 404) a request to initialize a region of memory, where content stored in the region is encrypted based at least in part on one or multiple stored nonce values and a key. The technique 400 includes, in response to the request, performing cryptographic-based initialization of the memory, including altering the stored nonce value(s) to initialize the region of memory, pursuant to block 408.

[0029] Referring to Fig. 5A in conjunction with Fig. 1, thus, in accordance with example implementations, a memory controller 510, in response to a read request 514, applies a stored nonce value 516 as part of a cipher 515 to decrypt encrypted data 520 targeted in a region 524 of a memory 535 by the read request 514 to provide corresponding decrypted content 530. Referring to Fig. 5B in conjunction with Fig. 5A, in response to receiving an initialization request 554 to initialize the memory region 524, the memory controller 510 alters the stored nonce value 516 to generate an altered nonce 560. Due to this altering of the nonce value, the encrypted data 520 in the region 524 may not be recovered.

[0030] Referring to Fig. 6, in accordance with example implementations, a technique 600 includes receiving (block 604) a request to shred content, which is stored as encrypted data in a page of a memory. The page is associated with a group of cache line boundary-aligned regions. The technique 600 includes changing (block 608) initialization vectors associated with the group of cache line boundary-aligned regions to shred the content.

[0031] In accordance with example implementations, the initialization request may be a zero page or zero fill request, and as such, an operating system of the computer system 100 may expect a block of zeroes to be returned from an initialized page(instead of the returned, shredded "garbage"). Therefore, in accordance with some implementations, the memory controller 130 may return a block of zeroes to the operating system without actually communicating with the memory. For these implementations, the memory controller may track which pages are shredded using the cache line region counter. More specifically, in accordance with example implementations, the cache line region counter may provide an IV 700 that has a format such as the one that is depicted in Fig. 7.

[0032] Referring to Fig. 7, the IV 700 includes a major counter portion 702 and a minor counter portion 704. In general, the major counter portion 702 of the IV 700 tracks pages and is incremented for different pages of the memory; and the minor portion 704 of the IV 700 corresponds to counter bits that are incremented to generate the different IVs or nonce values for the cache line regions of the page.

[0033] In accordance with example implementations, the memory controller 130 sets the minor counter portion 704 to a predetermined bit value to indicate whether the corresponding page is a shredded page. For example, in accordance with some implementations, the memory controller 130 may zero the minor counter portion 704, or set all of the bits of the minor counter portion 704 to zero. Therefore, for these example implementations, when the memory controller 130 shreds a given page, the memory controller 130 may clear the minor counter portion 704; and subsequently, when the memory controller accesses a given page and determines that its associated minor counter portion 704 is zero, then the memory controller returns a block of zeroes to the operating system.

[0034] In accordance with some implementations, the memory controller 130 invalidates shredded cache line memory regions. For example, in accordance with some implementations, the shred command may be followed with the execution of PCOMMIT and SFENCE instructions. It is assumed for this approach that the address range of the register 131 (Fig. 1) is declared as persistent, and the memory controller 130 marks the shred command write as being flushed when all of the invalidations have been posted. In accordance with further example implementations, the memory controller 130 may loop to continuously read the register 131 until the register 131 returns the value of zero. The memory controller 130 may then set the value stored in the register 131 to zero after sending out all of the invalidations. Such a waiting loop does not generate any traffic on the memory bus 162.

[0035] Other implementations are contemplated, which are within the scope of the appended claims. For example, although shredding of a main memory of a computer system as described herein, the shredding techniques and systems that are described herein may be applied to other memories. For example, in accordance with further example implementations, the memory may be a storage memory of a storage system. As another example, in accordance with further example implementations, the cryptography engine 136 may use another block-based cipher that uses an IV, such as a cipher block chaining (CBC) cipher or a cipher feedback (CFB) cipher.

[0036] While the present invention has been described with respect to a limited number of embodiments, those skilled in the art, having the benefit of this disclosure, will appreciate numerous modifications and variations therefrom. It is intended that the appended claims cover all such modifications and variations as fall within the scope of this present invention.

Claims

1. A method comprising:

receiving a request (126) to initialize a region of a memory (164), wherein content stored in the region is encrypted based at least in part on a stored nonce value (144) and a key; and

in response to the request (126), performing cryptographic-based initialization of the memory (164), including altering the stored nonce value (144) to initialize the region of the memory (164)
characterized in that the region is associated with a cache line, and altering the stored nonce value (144) comprises changing a count value associated with the cache line.

2. The method of claim 1, wherein the stored nonce value (144) comprises a counter value, and altering the stored nonce value (144) comprises incrementing the counter value.

3. The method of claim 1, wherein the region is associated with a plurality of cache lines and the stored nonce value (144) is one of a plurality of stored nonce values (144), the method further comprising:
altering the plurality of stored nonce values (144) to shred the content.

4. The method of claim 1, further comprising:
prior to receiving the request (126), encrypting the content based at least in part on the stored nonce value (144), the key and a cache line address to provide the encrypted data.

5. A system comprising:

a memory (164) to store encrypted data in the memory (164), the encrypted data being associated with content encrypted based at least in part on a nonce value (144);

a processor (124) to provide a request associated with a region of the memory (164) containing the encrypted data; and

a memory controller (130) operating according to the method of any of claims 1 to 4.

Ansprüche

1. Verfahren, das Folgendes umfasst:

Empfangen einer Anforderung (126) zum Initialisieren eines Bereichs eines Speichers (164), wobei der in dem Bereich gespeicherte Inhalt verschlüsselt ist, basierend wenigstens teilweise auf einem gespeicherten nonce-Wert (144) und einem Schlüssel; und

Durchführen einer kryptografiebasierten Initialisierung des Speichers (164) in Reaktion auf die Anforderung (126), einschließlich eines Änderns des gespeicherten nonce-Werts (144), um den Bereich des Speichers (164) zu initialisieren, dadurch gekennzeichnet, dass der Bereich einer Cache-Zeile zugeordnet ist, und das Ändern des gespeicherten nonce-Werts (144) das Abändern eines Zählwerts, der der Cache-Zeile zugeordnet ist, umfasst.

2. Verfahren nach Anspruch 1, wobei der gespeicherte nonce-Wert (144) einen Zählwert umfasst und das Ändern des gespeicherten nonce-Werts (144) ein Inkrementieren des Zählwerts umfasst.

3. Verfahren nach Anspruch 1, wobei der Bereich mehreren Cache-Zeilen zugeordnet ist und der gespeicherte nonce-Wert (144) einer von mehreren gespeicherten nonce-Werten (144) ist, wobei das Verfahren ferner Folgendes umfasst:
Ändern der mehreren gespeicherten nonce-Werte (144), um den Inhalt zu vernichten.

4. Verfahren nach Anspruch 1, das ferner Folgendes umfasst:
Verschlüsseln des Inhalts vor dem Empfangen der Anforderung (126) basierend wenigstens teilweise auf dem gespeicherten nonce-Wert (144), dem Schlüssel und einer Cache-Zeilenadresse, um die verschlüsselten Daten bereitzustellen.

5. System, das Folgendes umfasst:

einen Speicher (164) zum Speichern von verschlüsselten Daten in dem Speicher (164), wobei die verschlüsselten Daten einem Inhalt zugeordnet sind, der basierend wenigstens teilweise auf einem nonce-Wert (144) verschlüsselt ist;

einen Prozessor (124) zum Bereitstellen einer Anforderung, die einem Bereich des Speichers (164) zugeordnet ist, der die verschlüsselten Daten enthält; und

einen Speicher-Controller (130), der nach dem Verfahren nach einem der Ansprüche 1 bis 4 arbeitet.

Revendications

1. Procédé consistant à :

recevoir une demande (126) pour initialiser une région d'une mémoire (164), dans lequel le contenu stocké dans la région est chiffré sur la base au moins en partie d'une valeur de nonce stockée (144) et d'une clé ; et

en réponse à la demande (126), effectuer une initialisation cryptographique de la mémoire (164), notamment en modifiant la valeur de nonce stockée (144) pour initialiser la région de la mémoire (164),
caractérisé en ce que la région est associée à une ligne de cache et que modifier la valeur de nonce stockée (144) comprend le changement d'une valeur de compteur associée à la ligne de cache.

2. Procédé selon la revendication 1, dans lequel la valeur de nonce stockée (144) comprend une valeur de compteur et la modification de la valeur de nonce stockée (144) comprend l'incrémentation de la valeur de compteur.

3. Procédé selon la revendication 1, dans lequel la région est associée à une pluralité de lignes de cache et la valeur de nonce stockée (144) est une valeur parmi une pluralité de valeurs de nonce stockées (144), le procédé consistant en outre à :
modifier la pluralité de valeurs de nonce stockées (144) pour détruire le contenu.

4. Procédé selon la revendication 1, consistant en outre à :
avant la réception de la demande (126), chiffrer le contenu sur la base au moins en partie de la valeur de nonce stockée (144), de la clé et d'une adresse de ligne de cache pour fournir les données chiffrées.

5. Système comprenant :

une mémoire (164) pour stocker des données chiffrées dans la mémoire (164), les données chiffrées étant associées à un contenu chiffré sur la base au moins en partie sur une valeur de nonce (144) ;

un processeur (124) pour fournir une requête associée à une région de la mémoire (164) contenant les données chiffrées ; et

un contrôleur de mémoire (130) fonctionnant selon le procédé de l'une quelconque des revendications 1 à 4.

Drawing